mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-17 21:53:43 +09:00
Add validation for banned and blacklisted custom fields.
This update enhances security by introducing checks for banned and blacklisted meta keys in custom fields. It includes CSS updates for admin builder styles and ensures banned fields are flagged accurately in the site health tool.
This commit is contained in:
@@ -34,6 +34,9 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
|
||||
public $saved_fields = array();
|
||||
|
||||
/**
|
||||
* Field keys that cannot be used as metakey when add new custom field to UM Form.
|
||||
* Note: They are used both with function `UM()->user()->is_metakey_banned()` to avoid using unsecure metakeys.
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
public $blacklist_fields = array();
|
||||
@@ -183,7 +186,7 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
|
||||
* @return int|string Empty or error string.
|
||||
*/
|
||||
public function blacklist_field_err( $key ) {
|
||||
if ( in_array( strtolower( $key ), $this->blacklist_fields, true ) || in_array( strtolower( $key ), UM()->user()->banned_keys, true ) ) {
|
||||
if ( in_array( strtolower( $key ), $this->blacklist_fields, true ) || UM()->user()->is_metakey_banned( $key ) ) {
|
||||
return __( 'Your meta key can not be used', 'ultimate-member' );
|
||||
}
|
||||
|
||||
@@ -1426,6 +1429,9 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
|
||||
public function set_blacklist_fields() {
|
||||
$this->blacklist_fields = array(
|
||||
'id',
|
||||
'role',
|
||||
'user_id',
|
||||
'user_pass',
|
||||
);
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user